Redis Cluster and auth (password)
6,946 views
Skip to first unread message
HeartSaVioR
Mar 26, 2014, 10:13:14 AM3/26/14
to redi...@googlegroups.com
Hello all!
I'm testing with Redis unstable branch. (3cf6f1f54fb3a31fb7157ab54919455feda41466)
With unstable branch, I can set "requirepass" with cluster-enabled yes, and Redis instance asks password.
(I've confirmed with redis-cli.)
But redis-trib.rb doesn't seem to use password, and redis-trib complains cannot connect to Redis instance.
What is right thing? redis-cli or redis-trib?
And should I set "masterauth" if I use replicate with Redis Cluster?
Thanks in advance!
Sincerely.
Jungtaek Lim (HeartSaVioR)
Matt Stancliff
Mar 26, 2014, 11:38:40 AM3/26/14
to redi...@googlegroups.com
On Mar 26, 2014, at 10:13 AM, HeartSaVioR <kab...@gmail.com> wrote:
> With unstable branch, I can set "requirepass" with cluster-enabled yes, and Redis instance asks password.
> (I've confirmed with redis-cli.)
>
> But redis-trib.rb doesn't seem to use password, and redis-trib complains cannot connect to Redis instance.
>
> What is right thing? redis-cli or redis-trib?
> And should I set "masterauth" if I use replicate with Redis Cluster?
[The requirepass password is plain text and unauthenticated, so it actually provides no security unless you run Redis behind something like spiped and have nobody on either host who can snoop local ports.]
Cluster already disables having multiple “databases,” so disabling another server-level feature seems acceptable too.
-Matt
Jan-Erik Rediger
Mar 26, 2014, 11:43:36 AM3/26/14
to redi...@googlegroups.com
First things first to clear some things up:
redis-cli and redis-trib serve different purposes.
redis-cli is the low-level command line tool to execute commands and
fetch data from redis instances. It works with all commands and has a
special cluster mode. You could use it to manage your cluster but you
would have to type the complete protocol/commands yourself.
redis-trib.rb is a helper script for managing a Cluster setup. It
provides an abstraction from all the necessary commands to create and
manage a Redis Cluster.
Right now redis-trib.rb cannot handle password-protected instances.
This is a bug and should be fixed sometime soon. Could you open a bug
report on this?
The masterauth config option is necessary for slaves to talk to their
master so yes, it should be provided.
Now that you brought up this problem I'm not really sure if a
password-protected Redis Cluster will work correctly when passwords from
instances differ (as Redis Cluster will promote slaves to master if
necessary and vice-versa). Maybe antirez can step in here.
> You received this message because you are subscribed to the Google Groups "Redis DB" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to redis-db+u...@googlegroups.com.
> To post to this group, send email to redi...@googlegroups.com.
> Visit this group at http://groups.google.com/group/redis-db.
> For more options, visit https://groups.google.com/d/optout.
Salvatore Sanfilippo
Mar 26, 2014, 11:49:53 AM3/26/14
to Redis DB, Jan-Erik Rediger
Hey,
Redis Cluster never uses normal connections to send commands to Redis
instances between nodes. It always uses the cluster bus, and slaves
always auto-elect themselves, masters always auto-demote, and so
forth.
So technically adding password support to redis-trib and Redis cluster
is as simple as adding a switch to redis-trib that sends AUTH at every
new connection with a node.
However as Matt commented, it is not clear if there is a real security
gain given that masters have an additional open port, the cluster bus.
Probably it is still somewhat useful because you may create some kind
of DMZ where your hosts can talk in the cluster port, but where
connections from outside can only target your mapped cluster ports.
Still, is it worth it, for an authentication system as weak as Redis
employs? Probably not.
Long story short, for now we'll leave things as they are, that is, you
can't enable authentication in a cluster if you want to talk to the
cluster with redis-trib. Later there will be time to understand what
to do, if to improve the authentication system, or to remove it from
Cluster at all.
Salvatore
--
Salvatore 'antirez' Sanfilippo
open source developer - GoPivotal
http://invece.org
To "attack a straw man" is to create the illusion of having refuted a
proposition by replacing it with a superficially similar yet
unequivalent proposition (the "straw man"), and to refute it
-- Wikipedia (Straw man page)
Redis Cluster never uses normal connections to send commands to Redis
instances between nodes. It always uses the cluster bus, and slaves
always auto-elect themselves, masters always auto-demote, and so
forth.
So technically adding password support to redis-trib and Redis cluster
is as simple as adding a switch to redis-trib that sends AUTH at every
new connection with a node.
However as Matt commented, it is not clear if there is a real security
gain given that masters have an additional open port, the cluster bus.
Probably it is still somewhat useful because you may create some kind
of DMZ where your hosts can talk in the cluster port, but where
connections from outside can only target your mapped cluster ports.
Still, is it worth it, for an authentication system as weak as Redis
employs? Probably not.
Long story short, for now we'll leave things as they are, that is, you
can't enable authentication in a cluster if you want to talk to the
cluster with redis-trib. Later there will be time to understand what
to do, if to improve the authentication system, or to remove it from
Cluster at all.
Salvatore
Salvatore 'antirez' Sanfilippo
open source developer - GoPivotal
http://invece.org
To "attack a straw man" is to create the illusion of having refuted a
proposition by replacing it with a superficially similar yet
unequivalent proposition (the "straw man"), and to refute it
-- Wikipedia (Straw man page)
HeartSaVioR
Mar 26, 2014, 7:15:13 PM3/26/14
to redi...@googlegroups.com, Jan-Erik Rediger
Hello, Salvatore.
2014년 3월 27일 목요일 오전 12시 49분 53초 UTC+9, Salvatore Sanfilippo 님의 말:
I see your thought - current auth is insecure, and meaningless to Redis Cluster. Right?
Then I think we should protect Redis instance to prevent specifying both requirepass (and masterauth) and cluster-enabled yes.
What do you think?
Regard.
Jungtaek Lim (HeartSaVioR)
2014년 3월 27일 목요일 오전 12시 49분 53초 UTC+9, Salvatore Sanfilippo 님의 말:
Reply all
Reply to author
Forward
0 new messages